Microsoft issues mammoth security update, biggest in five years
Fixes 28 flaws in Windows, Office, IE, ActiveX development tools and more
Computerworld - Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago.
Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system. Of the five others, three were judged to be "important," the next step down, and two were pegged as "moderate." The patches were issued in eight updates for Windows, Internet Explorer, Office, SharePoint, Windows Media, and the company's most popular development tools, Visual Basic and Visual Studio.
Researchers agreed that one of the Windows updates should be tops on everyone's to-do list. "There are a few that will stick out for a lot of people," said Andrew Storms, director of security operations at nCircle Network Security Inc. "The GDI is one."
MS08-071, which contains two separate vulnerabilities, both critical, updates the Graphics Device Interface (GDI), the core graphics rendering component of Windows. GDI has been repeatedly patched by Microsoft, most recently in September.
"This looks very similar to MS08-021," said Storms, referring to an April update that patched two other GDI bugs. Like that earlier fix, as well as the one in September, hackers could exploit the vulnerabilities by duping users into opening or viewing malicious Windows Metafile (WMF) images.
"[MS08-071] is something similar to what we saw with WMF files once before this year, and once last year, too," said Amol Sarwate, manager of Qualys Inc.'s vulnerability lab. "It's in the core kernel, it's always there, it's in all versions of Windows and the attack vector is pretty high." Like Storms, Sarwate put the update at the top of his list.
The long-running patch job on GDI will, said Storms, inevitably prompt some to ask whether Microsoft's vaunted Security Development Lifecycle (SDL) process, under which it scrutinizes code as its written for bugs, really works. "Is SDL functioning? I don't know," Storms admitted. "Without seeing the code analysis, it's difficult to presume it's not."
"Yes, I think that's a fair question," said Wolfgang Kandek, chief technology officer at Qualys. "But is it realistic to expect Microsoft to find everything? No, it's not."
Storms said the IE update, MS08-073, would be his next highest update priority, simply because of the number of vulnerabilities it fixes -- four, all critical -- and because of the dominance of Microsoft's browser. After that, it gets murkier. "GDI and IE are certainly top of the list, but beyond that it's a toss-up," he said. "It's going to be difficult for people in the trenches to understand what to go after the first and second."
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!